Application Risk Management

Application risk management is the process of identifying and managing potential threats in software applications. This need has become increasingly important as application vulnerabilities are one of the most significant threats to a company’s security profile.

Research firm SAP notes that 84% of cyber attacks target the application layer. As open source components continue to increase in prevalence, so too does the risk of open source vulnerabilities within an organization’s code libraries.

Application Security Risks

In a recent survey by Ponemon Institute, 69% of respondents noted that their organization is unaware of the entirety of applications or databases that are currently active. This represents a large population who lack insight into potentially at-risk applications, let alone into the portfolio of open source components within them.

Additionally, nearly 30% of the Ponemon respondents indicated that they have no management process. This leaves them exposed to potential security breaches and increased remediation costs for vulnerabilities identified late in the development cycle.

Recover: Business continuity plans to quickly resume activities after a breach, minimizing the impact on operations and the customer experience.

Addressing Application Security & Open Source Use

Applications built with open source software are subject to the same security standards as proprietary software, with the added complexity of addressing vulnerable open source components within a project.

Awareness: It’s imperative that you establish a complete understanding of the open source components within your custom applications, and document them for reference in a bill of materials (BOM). This gives you a full account of open source components which need to be monitored for vulnerabilities, as well as code quality and compliance risks.

Security: NIST puts the cost of addressing a software error after it has been released at nearly 30x the cost of resolving the error during coding. By mapping the open source BOM to databases of known vulnerabilities, at-risk code can be readily located and remediated early and with minimal impediment to the SDLC and at significantly lesser cost.

Security Testing: Applications should be examined with an array of security testing tools including, but not limited to, Static, Dynamic, and Interactive Application Security Testing. In order to to address the management of open source application risks which are not covered by these other tools, we suggest the use of an Open Source Vulnerability Management (OSVM) solution.